[go: up one dir, main page]

CN108141704A - The station location marker of former network message handling device - Google Patents

The station location marker of former network message handling device Download PDF

Info

Publication number
CN108141704A
CN108141704A CN201680056761.6A CN201680056761A CN108141704A CN 108141704 A CN108141704 A CN 108141704A CN 201680056761 A CN201680056761 A CN 201680056761A CN 108141704 A CN108141704 A CN 108141704A
Authority
CN
China
Prior art keywords
network node
network
location
message
data structure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201680056761.6A
Other languages
Chinese (zh)
Other versions
CN108141704B (en
Inventor
S·T·迪斯彭萨
H·威尔森
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Technology Licensing LLC
Original Assignee
Microsoft Technology Licensing LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Technology Licensing LLC filed Critical Microsoft Technology Licensing LLC
Publication of CN108141704A publication Critical patent/CN108141704A/en
Application granted granted Critical
Publication of CN108141704B publication Critical patent/CN108141704B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/02Services making use of location information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • H04L45/745Address table lookup; Address filtering
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/107Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/63Location-dependent; Proximity-dependent
    • H04W12/64Location-dependent; Proximity-dependent using geofenced areas
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

以使得第二网络节点能够确定网络消息是由特定位置的计算系统处理的方式,将网络消息从特定位置的第一网络节点传送到第二网络节点。例如,特定位置可以是地理位置或网络拓扑位置。位置证据是通过使用由第一网络节点将其包括在网络消息内的签名的位置证据来完成的。网络消息然后由第二网络实体接收。第二网络实体然后使用签名的位置数据结构证据作为确定网络消息是至少基于签名的位置数据结构证据而被处理的过程的输入。

The network message is transmitted from the first network node at the particular location to the second network node in a manner that enables the second network node to determine that the network message is processed by the computing system at the particular location. For example, a specific location may be a geographic location or a network topology location. Proof of location is done by using signed proof of location which is included by the first network node within the network message. The network message is then received by the second network entity. The second network entity then uses the signed location data structure evidence as input to a process of determining that the network message was processed based at least on the signed location data structure evidence.

Description

先前网络消息处理器的位置标识The location identifier of the previous network message handler

背景技术Background technique

计算系统和相关联的网络已经彻底改变了人类工作、娱乐和通信的方式。计算机系统几乎在某种程度上影响了我们生活的每个方面。网络的扩散已经允许计算系统能够共享数据并且进行通信,极大地增加了信息访问。出于这个原因,当代通常被称为“信息时代”。Computing systems and associated networks have revolutionized the way humans work, play and communicate. Computer systems affect almost every aspect of our lives in some way. The proliferation of networks has allowed computing systems to share data and communicate, greatly increasing information access. For this reason, the present age is often referred to as the "Information Age".

然而,计算网络通常是广泛分布的并且跨越多个信任边界。例如,特定公司边界内的计算系统可以比这个公司边界之外的计算系统更受这个公司的信任。此外,公司的特定部门内的计算系统可以比公司其他部门内的计算系统更受信任。因此,为了确保安全,重考虑和实施信任边界是重要的。因此,在确定是否向特定计算系统提供服务和/或信息时,确定这个计算系统是否在某个信任边界内是有帮助的。However, computing networks are often widely distributed and span multiple trust boundaries. For example, computing systems within the boundaries of a particular company may be trusted by that company more than computing systems outside of the company's boundaries. Furthermore, computing systems within a particular department of a company may be more trusted than computing systems in other departments of the company. Therefore, it is important to reconsider and enforce trust boundaries in order to ensure security. Therefore, in determining whether to provide services and/or information to a particular computing system, it is helpful to determine whether the computing system is within a certain trust boundary.

用于估计计算系统是否在特定信任边界内的一种传统机制是基于请求服务和/或信息的消息的源互联网协议(IP)地址。如果源IP地址标识信任边界内的计算系统,则某个较高级别的信任被分配给从这个计算系统接收的消息。因此,当这些计算系统驻留在相同的信任边界中时,传统技术允许计算系统以更可信的方式进行通信。因此,可以相互提供以这个信任为基础的服务和信息。One conventional mechanism for estimating whether a computing system is within a particular trust boundary is based on the source Internet Protocol (IP) address of messages requesting services and/or information. If the source IP address identifies a computing system within the trust boundary, then a certain higher level of trust is assigned to messages received from this computing system. Accordingly, conventional techniques allow computing systems to communicate in a more trusted manner when these computing systems reside in the same trust boundary. Therefore, services and information based on this trust can be mutually provided.

本文中要求保护的主题不限于解决任何缺点或仅在诸如上述环境中操作的实施例。相反,提供此背景仅用于说明其中可以实施本文中描述的一些实施例的一个示例性技术领域。The subject matter claimed herein is not limited to embodiments that solve any disadvantages or that only operate in environments such as those described above. Rather, this background is provided merely to illustrate one exemplary technology area in which some embodiments described herein may be practiced.

发明内容Contents of the invention

本文中描述的至少一些实施例涉及以使得第二网络节点能够确定网络消息是由特定位置的计算系统处理的方式,将网络消息从特定位置的第一网络节点传送到第二网络节点。例如,特定位置可以是地理位置或网络拓扑位置。特定位置可以包括多个计算系统。At least some embodiments described herein relate to communicating a network message from a first network node at a particular location to a second network node in a manner that enables the second network node to determine that the network message was processed by a computing system at the particular location. For example, a specific location may be a geographic location or a network topology location. A particular location may include multiple computing systems.

位置证据是通过使用由第一网络节点包括在网络消息内的签名的位置证据来完成的。网络消息然后由第二网络实体接收。第二网络实体然后使用签名的位置数据结构证据作为确定网络消息是至少基于签名的位置数据结构证据而被处理的过程的输入。如果位置是可信的,则第二网络节点可以允许针对所接收的网络消息执行某些技术动作。The proof of location is done by using the signed proof of location included by the first network node within the network message. The network message is then received by the second network entity. The second network entity then uses the signed location data structure evidence as input to a process of determining that the network message was processed based at least on the signed location data structure evidence. If the location is trusted, the second network node may allow certain technical actions to be performed on the received network message.

在一个实施例中,第一网络实体从与地址范围相对应并且向第一网络实体指派IP地址的互联网协议(IP)地址指派服务器获得签名的位置数据结构证据。IP地址指派服务器可以协商、发布或以其他方式向第二网络实体通知如何验证签名并且提取签名的位置数据结构证据的内容。因此,如果不是完全防篡改的,则签名的位置数据结构证据至少是防篡改的。在一些实施例中,签名的位置数据结构证据可以与与网络结构内的第一网络节点相关联的IP地址相比较,以确保它们在第二网络节点进行位置确定之前匹配。In one embodiment, the first network entity obtains the signed location data structure evidence from an Internet Protocol (IP) address assignment server corresponding to the address range and assigning the IP address to the first network entity. The IP address assigning server may negotiate, publish or otherwise inform the second network entity how to verify the signature and extract the contents of the signed location data structure evidence. Therefore, the signed location data structure evidence is at least tamper-proof, if not completely tamper-proof. In some embodiments, the signed location data structure evidence may be compared to an IP address associated with a first network node within the network structure to ensure that they match before the second network node makes a location determination.

本“发明内容”并非旨在标识所要求保护的主题的关键特征或必要特征,也不旨在用作确定所要求保护的主题的范围的辅助手段。This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.

附图说明Description of drawings

为了描述可以获得上述和其他优点和特征的方式,将通过参考附图来呈现各种实施例的更具体的描述。理解这些附图仅描绘了示例实施例并且因此不被认为是对本发明范围的限制,将通过使用附图利用附加的特征和细节来描述和解释实施例,在附图中:In order to describe the manner in which the above and other advantages and features can be obtained, a more particular description of various embodiments will be presented by referring to the accompanying drawings. With the understanding that these drawings depict example embodiments only and are therefore not to be considered as limiting the scope of the invention, the embodiments will be described and explained with additional features and details by using the accompanying drawings, in which:

图1抽象地示出了其中可以采用本文中描述的一些实施例的计算系统;Figure 1 abstractly illustrates a computing system in which some embodiments described herein may be employed;

图2示出了包括使网络与第二网络通信并且位于特定位置内的第一网络节点的环境;Figure 2 illustrates an environment comprising a first network node having a network in communication with a second network and located within a particular location;

图3示出了用于位置的第一网络节点以使得第二网络节点能够确定消息是由在第一网络节点的位置内的计算系统处理的方式发起网络消息到第二网络节点的传送的方法的流程图;Figure 3 illustrates a method for a first network node of a location to initiate transmission of a network message to a second network node in a manner that enables the second network node to determine that the message is processed by a computing system within the location of the first network node flow chart;

图4示出了包括签名的位置数据结构证据的网络消息;Figure 4 illustrates a network message including signed evidence of a location data structure;

图5示出了用于第一网络节点获得签名的位置数据结构证据的方法的流程图;Fig. 5 shows a flowchart of a method for a first network node to obtain a signed location data structure evidence;

图6示出了具有包括地址指派服务器的位置的环境,地址指派服务器具有相关联的地址范围,服务器可以从相关联的地址范围中选择以向多个网络节点中的每个指派地址;以及Figure 6 illustrates an environment with a location including an address assignment server having an associated address range from which a server can be selected to assign an address to each of a plurality of network nodes; and

图7象征性地示出了位置数据结构证据。Fig. 7 schematically shows location data structure evidence.

具体实施方式Detailed ways

本文中描述的至少一些实施例涉及以使得第二网络节点能够确定网络消息是由特定位置的计算系统处理的方式,将网络消息从特定位置的第一网络节点传送到第二网络节点。例如,特定位置可以是地理位置或网络拓扑位置。特定位置可能包括多个计算系统。At least some embodiments described herein relate to communicating a network message from a first network node at a particular location to a second network node in a manner that enables the second network node to determine that the network message was processed by a computing system at the particular location. For example, a specific location may be a geographic location or a network topology location. A particular location may include multiple computing systems.

位置证据是通过使用由第一网络节点包括在网络消息内的签名的位置证据来完成的。网络消息然后由第二网络实体接收。第二网络实体然后使用签名的位置数据结构证据作为确定网络消息是至少基于签名的位置数据结构证据而被处理的过程的输入。如果位置是可信的,则第二网络节点可以允许针对所接收的网络消息执行某些技术动作。The proof of location is done by using the signed proof of location included by the first network node within the network message. The network message is then received by the second network entity. The second network entity then uses the signed location data structure evidence as input to a process of determining that the network message was processed based at least on the signed location data structure evidence. If the location is trusted, the second network node may allow certain technical actions to be performed on the received network message.

在一个实施例中,第一网络实体从与地址范围相对应并且向第一网络实体指派IP地址的互联网协议(IP)地址指派服务器获得签名的位置数据结构证据。IP地址指派服务器可以协商、发布或以其他方式向第二网络实体通知如何验证签名并且提取签名的位置数据结构证据的内容。因此,如果不是完全防篡改的,则签名的位置数据结构证据至少是防篡改的。在一些实施例中,签名的位置数据结构证据可以与与网络结构内的第一网络节点相关联的IP地址相比较,以确保它们在第二网络节点进行位置确定之前匹配。In one embodiment, the first network entity obtains the signed location data structure evidence from an Internet Protocol (IP) address assignment server corresponding to the address range and assigning the IP address to the first network entity. The IP address assigning server may negotiate, publish or otherwise inform the second network entity how to verify the signature and extract the contents of the signed location data structure evidence. Therefore, the signed location data structure evidence is at least tamper-proof, if not completely tamper-proof. In some embodiments, the signed location data structure evidence may be compared to an IP address associated with a first network node within the network structure to ensure that they match before the second network node makes a location determination.

将参考图1描述计算系统的一些介绍性讨论。然后,将参考随后的附图描述将网络消息从第一网络节点传送到第二网络节点使得可以确定第一网络节点的位置。Some introductory discussion of the computing system will be described with reference to FIG. 1 . Then, the transmission of a network message from a first network node to a second network node such that the position of the first network node can be determined will be described with reference to subsequent figures.

计算系统现在越来越多地采取各种各样的形式。例如,计算系统可以是手持设备、家用电器、膝上型计算机、台式计算机、大型机、分布式计算系统、数据中心、或甚至通常未被认为是计算系统的设备,诸如可穿戴设备(例如,眼镜)。在本说明书和权利要求书中,术语“计算系统”被广义地定义为包括任何设备或系统(或其组合),其包括至少一个物理和有形处理器以及物理和有形存储器,能够在其上具有可以由处理器执行的计算机可执行指令。存储器可以采取任何形式并且可以取决于计算系统的性质和形式。计算系统可以分布在网络环境中并且可以包括多个组成计算系统。Computing systems now increasingly take a variety of forms. For example, a computing system may be a handheld device, a home appliance, a laptop, a desktop computer, a mainframe, a distributed computing system, a data center, or even a device not generally considered a computing system, such as a wearable device (e.g., Glasses). In this specification and claims, the term "computing system" is broadly defined to include any device or system (or combination thereof) that includes at least one physical and tangible processor and physical and tangible memory capable of having Computer-executable instructions that can be executed by a processor. The memory may take any form and may depend on the nature and form of the computing system. The computing system may be distributed in a network environment and may include multiple constituent computing systems.

如图1所示,在其最基本配置中,计算系统100通常包括至少一个硬件处理单元102和存储器104。存储器104可以是物理系统存储器,其可以是易失性的、非易失性的、或两者的某种组合。术语“存储器”在本文中也可以用于指代非易失性大容量存储器,诸如物理存储介质。如果计算系统是分布式的,则处理、存储器和/或存储能力也可以是分布式的。如本文中使用的,术语“可执行模块”或“可执行组件”可以指代可以在计算系统上执行的软件对象、例程或方法。本文中描述的不同组件、模块、引擎和服务可以被实现为在计算系统上执行的对象或进程(例如,作为单独的线程)。As shown in FIG. 1 , in its most basic configuration, computing system 100 typically includes at least one hardware processing unit 102 and memory 104 . Memory 104 may be physical system memory, which may be volatile, non-volatile, or some combination of both. The term "memory" may also be used herein to refer to non-volatile mass storage, such as physical storage media. If the computing system is distributed, processing, memory and/or storage capabilities may also be distributed. As used herein, the term "executable module" or "executable component" may refer to a software object, routine or method that can be executed on a computing system. The various components, modules, engines and services described herein can be implemented as objects or processes executing on the computing system (eg, as separate threads).

在以下描述中,参考由一个或多个计算系统执行的动作来描述实施例。如果这些动作以软件实现,则(执行动作的计算系统相关联的)一个或多个处理器响应于已经执行计算机可执行指令来指导计算系统的操作。例如,这样的计算机可执行指令可以在形成计算机程序产品的一个或多个计算机可读介质上实施。这种操作的示例涉及数据的操纵。计算机可执行指令(和所操纵的数据)可以存储在计算系统100的存储器104中。计算系统100还可以包含通信信道108,其允许计算系统100通过例如网络110与其他计算系统通信。计算系统100还包括可以用于向用户显示视觉表示的显示器。In the following description, embodiments are described with reference to acts performed by one or more computing systems. If the acts are implemented in software, the one or more processors (associated with the computing system performing the acts) direct the operation of the computing system in response to having executed computer-executable instructions. For example, such computer-executable instructions may be embodied on one or more computer-readable media forming a computer program product. An example of such operations involves manipulation of data. Computer-executable instructions (and manipulated data) may be stored in memory 104 of computing system 100 . Computing system 100 may also contain a communication channel 108 that allows computing system 100 to communicate with other computing systems over, for example, network 110 . Computing system 100 also includes a display that can be used to display visual representations to a user.

本文中描述的实施例可以包括或利用包括计算机硬件(诸如例如一个或多个处理器和系统存储器)的专用或通用计算系统,如下面更详细讨论的。本文中描述的实施例还包括用于携带或存储计算机可执行指令和/或数据结构的物理和其他计算机可读介质。这样的计算机可读介质可以是可以被通用或专用计算系统访问的任何可用介质。存储计算机可执行指令的计算机可读介质是物理存储介质。携带计算机可执行指令的计算机可读介质是传输介质。因此,作为示例而非限制,本发明的实施例可以包括至少两种截然不同的计算机可读介质:存储介质和传输介质。Embodiments described herein may comprise or utilize a special purpose or general purpose computing system comprising computer hardware such as, for example, one or more processors and system memory, as discussed in more detail below. Embodiments described herein also include physical and other computer-readable media for carrying or storing computer-executable instructions and/or data structures. Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computing system. Computer-readable media that store computer-executable instructions are physical storage media. Computer-readable media that carry computer-executable instructions are transmission media. Thus, by way of example and not limitation, embodiments of the present invention may comprise at least two distinct types of computer-readable media: storage media and transmission media.

计算机可读存储介质包括RAM、ROM、EEPROM、CD-ROM或其他光盘存储、磁盘存储或其他磁存储设备、或者可以用于以计算机可执行指令或数据结构的形式存储期望的程序代码装置并且可以由通用或专用计算系统访问的任何其他物理和有形存储介质。Computer-readable storage media include RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or means that can be used to store desired program code in the form of computer-executable instructions or data structures and can Any other physical and tangible storage media accessed by a general or special purpose computing system.

“网络”被定义为实现在计算系统和/或模块和/或其他电子设备之间电子数据的传输的一个或多个数据链路。当通过网络或另一通信连接(硬连线、无线或者硬连线或无线的组合)向计算系统传输或提供信息时,计算系统将连接正确地视为传输介质。传输介质可以包括可以网络和/或数据链路,用于以计算机可执行指令或数据结构的形式携带期望的程序代码装置并且可以由通用或专用计算系统访问。上述的组合也应当被包括在计算机可读介质的范围内。A "network" is defined as one or more data links that enable the transfer of electronic data between computing systems and/or modules and/or other electronic devices. When information is transmitted or provided to a computing system over a network or another communication connection (hardwired, wireless, or a combination of hardwired or wireless), the computing system properly views the connection as the transmission medium. Transmission media may include a network and/or data links for carrying desired program code means in the form of computer-executable instructions or data structures and accessible by a general purpose or special purpose computing system. Combinations of the above should also be included within the scope of computer-readable media.

此外,在到达各种计算系统组件时,计算机可执行指令或数据结构形式的程序代码装置可以从传输介质自动地传递到存储介质(反之亦然)。例如,通过网络或数据链路接收的计算机可执行指令或数据结构可以被缓存在网络接口模块(例如,“NIC”)内的RAM中,并且然后最终被传递到计算系统RAM和/或计算系统处的较不易失性存储介质。因此,应当理解,存储介质可以被包括在也(甚至主要)利用传输介质的计算系统组件中。Furthermore, upon reaching various computing system components, program code means in the form of computer-executable instructions or data structures may be automatically transferred from transmission media to storage media (and vice versa). For example, computer-executable instructions or data structures received over a network or data link may be cached in RAM within a network interface module (e.g., a "NIC") and then eventually passed to computing system RAM and/or computing system less volatile storage media. Thus, it should be appreciated that storage media can be included in computing system components that also (or even primarily) utilize transmission media.

计算机可执行指令包括例如当在处理器处执行时使得通用计算系统、专用计算系统或专用处理设备执行特定功能或功能组的指令和数据。替代地或另外地,计算机可执行指令可以将计算系统配置为执行某个功能或功能组。计算机可执行指令可以是例如二进制文件或者甚至在处理器直接执行之前经历一些转换(诸如编译)的指令,诸如中间格式指令,诸如汇编语言或甚至源代码。Computer-executable instructions comprise, for example, instructions and data which, when executed at a processor, cause a general purpose computing system, special purpose computing system, or special purpose processing device to perform a particular function or group of functions. Alternatively or additionally, computer-executable instructions may configure the computing system to perform a certain function or group of functions. Computer-executable instructions may be, for example, binary files or even instructions that undergo some transformation, such as compilation, such as intermediate format instructions, such as assembly language or even source code, before being directly executed by a processor.

虽然已经用特定于结构特征和/或方法动作的语言描述了主题,但是应当理解,在所附权利要求中限定的主题不一定限于以上描述的特征或动作。相反,所描述的特征和行为被公开作为实现权利要求的示例形式。Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the features or acts described above. Rather, the described features and acts are disclosed as example forms of implementing the claims.

本领域技术人员将认识到,本发明可以在具有很多类型的计算系统配置的网络计算环境中实践,包括个人计算机、台式计算机、膝上型计算机、消息处理器、手持设备、多处理器系统、基于微处理器或可编程的消费电子产品、网络PC、小型计算机、大型计算机、移动电话、PDA、寻呼机、路由器、交换机、数据中心、可穿戴设备(诸如眼镜)等。本发明也可以在分布式系统环境中实践,其中通过网络链接(通过硬连线数据链路、无线数据链路或者通过硬连线和无线数据链路的组合)的本地和远程计算系统都执行任务。在分布式系统环境中,程序模块可以位于本地和远程存储器存储设备两者中。Those skilled in the art will recognize that the present invention may be practiced in network computing environments having many types of computing system configurations, including personal computers, desktop computers, laptop computers, message processors, handheld devices, multiprocessor systems, Microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, mobile phones, PDAs, pagers, routers, switches, data centers, wearable devices such as eyeglasses, etc. The invention may also be practiced in distributed systems environments where both local and remote computing systems that are linked (either by hardwired data links, wireless data links, or by a combination of hardwired and wireless data links) through a network execute Task. In a distributed system environment, program modules may be located in both local and remote memory storage devices.

图2示出了包括第一网络节点210和第二网络节点220的环境200。第一网络节点210被包括在特定位置211内。第一网络节点210通过网络230向第二网络节点220传送网络消息231(如由箭头232表示)。根据本文中进一步详细描述的原理,第一网络节点210这样做使得第二网络节点220能够确认网络消息231是在特定位置211内被处理的。如果做出这样的确认,则第二网络节点220可以执行否则在没有进行确认的情况下不会执行的技术动作或技术动作组。例如,动作可以是预先确定的,诸如第二网络节点220记录消息的接收,将与消息相关联的动作放置在队列中,同意被包括在消息内或与消息相关联的请求的全部或一部分,等等。可以同时确定其他动作,诸如基于目前状态的动作、负载平衡动作、基于某种级别的随机输入而选择的动作等。FIG. 2 shows an environment 200 comprising a first network node 210 and a second network node 220 . The first network node 210 is comprised within a specific location 211 . The first network node 210 transmits a network message 231 (as represented by arrow 232 ) to the second network node 220 via the network 230 . Doing so by the first network node 210 enables the second network node 220 to confirm that the network message 231 was processed within the particular location 211, according to principles described in further detail herein. If such an acknowledgment is made, the second network node 220 may perform a technical action or group of technical actions that would otherwise not be performed without the acknowledgment. For example, the action may be predetermined, such as the second network node 220 logging receipt of the message, placing an action associated with the message in a queue, agreeing to all or part of a request included in or associated with the message, and many more. Other actions may be determined at the same time, such as actions based on current state, load balancing actions, actions selected based on some level of random input, etc.

特定位置211可以是地理位置,其可以由任何可定义的地理边界来定义。例如,地理位置可以由政治边界(例如,加拿大、堪萨斯州等)、组织边界(例如,Contoso企业园区)、建筑边界(例如,建筑物17)或任何其他可定义的地理或物理边界来定义。特定位置211也可以是网络拓扑边界。例如,位置可以被定义为包含由特定计算系统或一组计算系统使用特定通信协议以特定方式可达的任何计算系统。Specific locations 211 may be geographic locations, which may be defined by any definable geographic boundaries. For example, geographic locations may be defined by political boundaries (eg, Canada, Kansas, etc.), organizational boundaries (eg, Contoso corporate campus), architectural boundaries (eg, building 17), or any other definable geographic or physical boundaries. Specific locations 211 may also be network topology boundaries. For example, a location may be defined to encompass any computing system reachable in a particular manner by a particular computing system or group of computing systems using a particular communication protocol.

网络230可以是可以在其上传送消息的任何网络。仅作为示例,网络230可以是因特网。网络消息231同样可以是任何网络消息,其被构造为通过网络230来传送。网络消息231可以存在于协议栈的任何级别。例如,网络消息231可以存在于协议栈的因特网层,诸如,仅作为示例,IPv4消息、IPv6消息、因特网控制消息协议(ICMP)消息、ICMPv6消息、因特网组管理协议(IGMP)消息、网关到网关协议消息或任何其他因特网协议,不管其是现在存在的还是尚未开发的。Network 230 may be any network over which messages may be communicated. By way of example only, network 230 may be the Internet. Network message 231 may likewise be any network message configured to be transmitted via network 230 . Network messages 231 may exist at any level of the protocol stack. For example, network messages 231 may exist at the Internet layer of the protocol stack, such as, by way of example only, IPv4 messages, IPv6 messages, Internet Control Message Protocol (ICMP) messages, ICMPv6 messages, Internet Group Management Protocol (IGMP) messages, gateway-to-gateway protocol message or any other Internet protocol, whether existing or not yet developed.

然而,网络消息231不限于在协议栈的任何特定级别识别的消息。例如,网络消息231替代地可以是应用级消息,诸如超文本传输协议(HTTP)消息、传输层协议(TLP)消息或任何其他应用级别消息,不管这样的应用或应用级别协议是现在存在的还是尚未开发的。网络消息231可以另外是在传输级别、链路层或协议栈的任何其他级别被识别的消息。However, network messages 231 are not limited to messages identified at any particular level of the protocol stack. For example, network message 231 may alternatively be an application-level message, such as a hypertext transfer protocol (HTTP) message, a transport layer protocol (TLP) message, or any other application-level message, whether such an application or application-level protocol exists today or Not yet developed. Network messages 231 may alternatively be messages identified at the transport level, link layer, or any other level of the protocol stack.

第一网络节点210和第二网络节点220每个可以是能够通过网络230传送网络消息231的任何系统或设备。例如,网络节点210和220每个可以是能够处理网络消息231的任何设备或系统。仅作为示例,网络消息可以是客户端计算系统、服务器计算系统、网关、路由器、负载均衡器、代理服务器、网络地址转换器或任何其他计算设备或系统。作为示例,第一网络节点210和第二网络节点220每个可以如上面针对图1的计算系统100所描述的那样来构造。First network node 210 and second network node 220 may each be any system or device capable of transmitting network messages 231 over network 230 . For example, network nodes 210 and 220 may each be any device or system capable of processing network message 231 . By way of example only, a network message may be a client computing system, server computing system, gateway, router, load balancer, proxy server, network address translator, or any other computing device or system. As an example, first network node 210 and second network node 220 may each be configured as described above for computing system 100 of FIG. 1 .

在一个实施例中,第一网络节点210是网络消息231的源,并且第二网络节点220是网络消息231的目的地。然而,在替代实施例中,如省略号201所示,第一网络节点210不是网络消息231的源,而是在向第二网络节点220路由网络消息之前接收和处理网络消息。这种可能性在图2中用虚线箭头241进一步表示。In one embodiment, the first network node 210 is the source of the network message 231 and the second network node 220 is the destination of the network message 231 . However, in an alternative embodiment, as indicated by ellipsis 201 , first network node 210 is not the source of network message 231 , but receives and processes the network message before routing it to second network node 220 . This possibility is further indicated by dashed arrow 241 in FIG. 2 .

替代地或另外地,如省略号202所示,第二网络节点220不需要是网络消息231的目的地,而是从第一网络节点210接收网络消息231,处理网络消息231,并且进一步沿其路径向网络消息220的最终目的地路由网络消息231。这种可能性在图2中由虚线箭头242进一步表示。Alternatively or additionally, as indicated by the ellipsis 202, the second network node 220 need not be the destination of the network message 231, but instead receives the network message 231 from the first network node 210, processes the network message 231, and further along its path Network message 231 is routed towards the final destination of network message 220 . This possibility is further indicated by dashed arrow 242 in FIG. 2 .

图3示出了用于位置的第一网络节点以使得第二网络节点能够确定消息是由第一网络节点的位置内的计算系统处理的方式发起网络消息到第二网络节点的传送的方法300的流程图。方法300的一些动作可以由图2的第一网络节点210执行,如标题为“第一节点”下的图3的左栏所示,并且包括在310几中的动作编号。方法300的其他动作可以由图2的第二网络节点220执行,如标题为“第二节点”下的图3的右栏所示,并且包括在320几中的动作编号。3 illustrates a method 300 for a first network node of a location to initiate transmission of a network message to a second network node in a manner that enables the second network node to determine that the message is processed by a computing system within the location of the first network node. flow chart. Some of the actions of the method 300 may be performed by the first network node 210 of FIG. 2, as shown in the left column of FIG. 3 under the heading "First Node", and include the action numbers in 310. Other actions of the method 300 may be performed by the second network node 220 of FIG. 2, as shown in the right column of FIG. 3 under the heading "Second Node" and include the action numbers in 320.

第一网络节点获得与第一网络节点的位置相对应的签名的位置数据结构证据(动作311)。例如,签名的位置数据结构可以对应于图2的第一网络节点210的位置211。关于位置数据结构证据的更多内容将在下面进一步描述。现在可以说,签名的位置数据结构证据被构造为由第二网络节点220可解释为确定其中包括有签名的位置数据结构证据的网络消息是由位置211内的计算系统处理的过程的输入。The first network node obtains a signed location data structure evidence corresponding to the location of the first network node (act 311). For example, the signed location data structure may correspond to the location 211 of the first network node 210 of FIG. 2 . More on location data structure evidence is described further below. It can now be said that the signed location data structure evidence is constructed as input to a process interpretable by the second network node 220 as determining that a network message including the signed location data structure evidence is processed by a computing system within the location 211 .

第一网络节点然后将签名的位置数据结构证据包括在网络消息内(动作312)。例如,图4示出了网络消息400,其包括签名的位置数据结构证据411。第一网络节点210因此可以将签名的位置数据结构证据411放置在消息400内。数据结构被签名的这一事实在图2中由具有较粗线条的元素表示。The first network node then includes the signed evidence of the location data structure within the network message (act 312). For example, FIG. 4 shows a network message 400 that includes a signed location data structure evidence 411 . The first network node 210 may therefore place the signed location data structure proof 411 within the message 400 . The fact that the data structure is signed is represented in Figure 2 by elements with thicker lines.

与传统技术不同,位置证据不是源IP地址本身。实际上,网络消息400示出了第一网络节点的第一网络节点地址401,其不同于位置数据结构证据411。作为示例,第一网络节点地址401可以是第一网络节点210的IP地址。Unlike traditional techniques, location evidence is not the source IP address itself. Indeed, the network message 400 shows the first network node address 401 of the first network node, which is different from the location data structure evidence 411 . As an example, the first network node address 401 may be the IP address of the first network node 210 .

如前所述,第一网络节点210可以是网络消息400的来源,在这种情况下,第一网络节点210也构建网络消息400。在那种情况下,位置数据结构证据411可以在网络消息400被构建时或之后不久被放置在网络消息400内。此外,网络节点地址401将是消息400的源网络节点地址(例如,源IP地址)。As previously mentioned, the first network node 210 may be the source of the network message 400 , in which case the first network node 210 also constructs the network message 400 . In that case, location data structure evidence 411 may be placed within network message 400 when network message 400 is constructed or shortly thereafter. Furthermore, network node address 401 will be the source network node address (eg, source IP address) of message 400 .

或者,如前所述,第一网络节点210可以已经接收和处理了消息400,并且在这样的处理中获得并且将位置数据结构证据410放置在消息400内。在那种情况下,第一网络节点地址可以是消息400内的中间地址(例如,中间IP地址)。Alternatively, the first network node 210 may have received and processed the message 400, and in such processing obtained and placed the location data structure evidence 410 within the message 400, as previously described. In that case, the first network node address may be an intermediate address within message 400 (eg, an intermediate IP address).

第一网络节点然后发起网络消息到第二网络节点的分派,网络消息包括签名的位置数据结构证据(动作313)。例如,在图2中,第一网络节点210通过网络230向第二网络节点220分派消息,如箭头231所示。分派的消息可以是例如图4的消息400,其中包括有位置数据结构证据410。The first network node then initiates dispatch of a network message to the second network node, the network message including the signed location data structure evidence (act 313). For example, in FIG. 2 , the first network node 210 dispatches a message to the second network node 220 via the network 230 , as indicated by arrow 231 . The dispatched message may be, for example, message 400 of FIG. 4 , which includes location data structure evidence 410 .

在本描述中,第一网络节点210在本文中被描述为在网络消息400内包括单个签名的位置数据结构证据。然而,第一网络节点210可以多次执行动作311和312以在网络消息400中插入多个签名的位置数据结构证据。这在图4中使用省略号412来表示。多个位置数据结构证据可以关于相同的位置411,或者可以关于可归因于第一网络节点210的不同位置。此外,多个签名的位置数据结构证据可以由第二网络节点220评估,或者可以每个签名的位置数据结构证据由网络消息231的路径中的不同网络节点处理。In this description, the first network node 210 is described herein as including a single signed location data structure evidence within the network message 400 . However, the first network node 210 may perform actions 311 and 312 multiple times to insert multiple signed location data structure evidences in the network message 400 . This is indicated in FIG. 4 using an ellipsis 412 . The multiple location data structure evidences may relate to the same location 411 , or may relate to different locations attributable to the first network node 210 . Furthermore, multiple signed location data structure evidences may be evaluated by the second network node 220 or each signed location data structure evidence may be processed by a different network node in the path of the network message 231 .

一旦第二网络实体从第一网络实体接收网络消息(动作321),第二网络节点验证签名的位置数据结构证据在第一网络节点的特定位置被签名(动作322)。例如,第二网络实体220验证被包括在消息内的签名的位置数据结构证据411在第一网络节点210的特定位置211内被签名。Once the second network entity receives the network message from the first network entity (action 321 ), the second network node verifies that the signed location data structure evidence is signed at the specific location of the first network node (action 322 ). For example, the second network entity 220 verifies that the signed location data structure evidence 411 included in the message is signed within the specific location 211 of the first network node 210 .

此外,为了进一步提高安全性,第二网络节点确定被包括在消息内的第一网络节点地址与签名的位置数据结构证据的签名相关联(动作323)。例如,第二网络节点220确定第一网络节点地址401与签名的位置数据结构证据411的签名相关联。Furthermore, to further increase security, the second network node determines that the address of the first network node included in the message is associated with the signature of the signed location data structure evidence (act 323). For example, the second network node 220 determines that the first network node address 401 is associated with the signature of the signed location data structure evidence 411 .

基于动作322的验证或动作322和323的验证,第二网络节点确定消息是由第一网络实体的位置内的计算系统处理的(动作324)。例如,第二网络节点220确定消息400是在特定位置211内处理的。Based on the verification of act 322 or the verification of acts 322 and 323, the second network node determines that the message was processed by a computing system within the location of the first network entity (act 324). For example, the second network node 220 determines that the message 400 was processed within the specific location 211 .

第二网络节点然后可以基于该确定来执行技术动作(动作325)。作为示例,这样的技术动作可以包括记录消息的接收,将与消息相关联的动作放置在队列中,同意被包括在消息内或与消息相关联的请求的全部或一部分,等等。The second network node may then perform a technical action based on this determination (action 325). As examples, such technical actions may include logging receipt of a message, placing an action associated with a message in a queue, granting all or a portion of a request to be included within or associated with a message, and the like.

虽然第一网络节点210被描述为将签名的消息插入到网络消息400中,但是在第一网络节点210不是网络消息的来源的情况下,网络消息可以由已经具有包含在其中的一个或多个位置数据结构证据的第一网络节点220来接收。这些一个或多个其他位置数据结构证据也由图4中的省略号412表示。因此,第二网络节点202可以针对关于网络消息的先前路径中的多个位置针对被包括在网络消息内的多个位置数据结构证据中的一个、一些或全部中的每个执行动作322至324。Although the first network node 210 is described as inserting the signed message into the network message 400, in cases where the first network node 210 is not the source of the network message, the network message may be composed of one or more The first network node 220 of the location data structure evidence is received. These one or more other location data structure evidences are also represented by ellipses 412 in FIG. 4 . Accordingly, the second network node 202 may perform actions 322 to 324 for each of one, some or all of the plurality of location data structure evidences included within the network message for the plurality of locations in the previous path with respect to the network message .

图5示出了用于第一网络节点获得签名的位置数据结构证据的方法500的流程图。方法500表示图2的第一网络节点210如何执行图3的动作311的一个示例。方法500可以在图6的环境506内执行。环境600包括位置601,位置601包括具有相关联的地址范围611的地址指派服务器610(例如,IP地址指派服务器)。地址指派服务器610能够将地址范围611中的地址(例如,IP地址)指派给位置601内的任何网络节点。Fig. 5 shows a flowchart of a method 500 for a first network node to obtain a signed location data structure evidence. The method 500 represents one example of how the first network node 210 of Fig. 2 performs action 311 of Fig. 3 . Method 500 may be performed within environment 506 of FIG. 6 . Environment 600 includes a location 601 that includes an address assignment server 610 (eg, an IP address assignment server) with an associated address range 611 . Address assignment server 610 is capable of assigning addresses (eg, IP addresses) in address range 611 to any network node within location 601 .

位置601还包括多个网络节点621至624,其中IP地址指派服务器610能够向其指派IP地址。尽管在位置601内示出了四个网络节点621至624,但是位置601可以包括任何数目的网络节点,如省略号625所示。因此,在这种情况下,位置601是表示能够由具有地址范围611的IP地址指派服务器610指派地址的所有网络节点的网络拓扑位置。The location 601 also includes a plurality of network nodes 621 to 624 to which the IP address assignment server 610 can assign IP addresses. Although four network nodes 621 - 624 are shown within location 601 , location 601 may include any number of network nodes, as indicated by ellipses 625 . Thus, in this case location 601 is a network topological location representing all network nodes that can be assigned addresses by IP address assignment server 610 with address range 611 .

网络节点621至624之一(例如,网络节点621)可以是图2的第一网络节点210。在那种情况下,位置601是图2的特定位置211的示例。如上所述,图5的方法500用于第一网络节点获得签名的位置数据结构证据。此外,该方法可以在图6的环境600中执行。由网络节点(例如,第一网络节点210,其示例是网络节点621)执行的动作位于图5的左列中在标题“网络节点”下,并且在510几中标记。由地址指派服务器(例如,地址指派服务器610)执行的动作位于标题“指派服务器”下并且在520几中标记。One of the network nodes 621 to 624 (eg, network node 621 ) may be the first network node 210 of FIG. 2 . In that case, location 601 is an example of specific location 211 of FIG. 2 . As mentioned above, the method 500 of FIG. 5 is used for the first network node to obtain a signed location data structure evidence. Additionally, the method may be performed in environment 600 of FIG. 6 . Actions performed by a network node (eg first network node 210 , an example of which is network node 621 ) are located in the left column of FIG. 5 under the heading "Network Node" and are marked in 510 . Actions performed by an address assignment server (eg, address assignment server 610 ) are located under the heading "Assignment Server" and are marked in 520A.

根据方法500,第一网络节点请求具有相关联的地址范围的地址指派服务器签名位置数据结构证据(动作511)。例如,在图6中,网络节点621可以请求地址指派服务器610签名并且返回位置数据结构证据。在本文中被称为“DHCP启动实施例”的实施例中,地址指派服务器是动态主机配置协议(DHCP)服务器,其在网络节点启动并且广播针对IP地址的请求时向这些节点指派IP地址。因此,在DHCP启动实施例中,动作在网络节点210(例如,网络节点621)从断电状态启动时执行。例如,针对签名的位置数据结构证据的请求可以从针对在网络节点启动时由网络节点广播(并且由DHCP服务器接收)的IP地址的正常请求来解释。因此,请求可以由DHCP服务器解释为对IP地址的请求和对签名的位置数据结构证据的请求。According to the method 500, the first network node requests an Address Assignment Server with an associated address range to sign a location data structure evidence (act 511). For example, in Figure 6, network node 621 may request address assignment server 610 to sign and return a location data structure proof. In an embodiment referred to herein as a "DHCP boot embodiment," the address assignment server is a Dynamic Host Configuration Protocol (DHCP) server that assigns IP addresses to network nodes as they boot up and broadcasts requests for IP addresses. Thus, in a DHCP boot embodiment, actions are performed when network node 210 (eg, network node 621 ) boots from a powered-off state. For example, a request for a signed location data structure proof may be interpreted from a normal request for an IP address broadcast by a network node (and received by a DHCP server) when the network node starts up. Thus, the request can be interpreted by the DHCP server as a request for an IP address and a request for a signed proof of location data structure.

地址指派服务器然后接收请求(动作521)。这在图6中由箭头631表示。地址指派服务器然后构造位置数据结构证据(动作522)。图7象征性地示出了这种位置数据结构证据700。位置数据结构证据700可以包括指派给第一网络节点510(例如,网络节点621)的地址701、地址指派服务器610的地址范围702、指派给网络节点的地址701的到期时间703和指派给网络节点的地址701的更新时间704。在DHCP启动实施例中,地址701可以是由DCHP服务器(地址指派服务器610的示例)从地址范围611内同时指派的地址。The address assigning server then receives the request (act 521). This is indicated by arrow 631 in FIG. 6 . The address assigning server then constructs a location data structure evidence (act 522). FIG. 7 schematically illustrates such a location data structure evidence 700 . The location data structure evidence 700 may include an address 701 assigned to the first network node 510 (e.g., network node 621), an address range 702 of the address assignment server 610, an expiration time 703 for the address 701 assigned to the network node, and an address 703 assigned to the network node. The update time 704 of the address 701 of the node. In a DHCP enabled embodiment, address 701 may be an address assigned concurrently from address range 611 by a DCHP server (an example of address assigning server 610).

地址指派服务器然后签名位置数据结构证据(动作523)。位置数据结构证据用签名来签名,使得第二网络节点520可以提取位置数据结构证据。例如,地址指派服务器610和第二网络节点220可以协调,使得第二网络节点220具有与由地址指派服务器610保存的私钥相关联的公钥,并且地址指派服务器610使用这个私钥签名位置数据结构证据。本文中描述的原理不限于如何完成这一点。用于完成这种协商的传统机制包括公钥基础设施(PKI)系统。在那种情况下,地址指派服务器可以通过这个系统与第一网络节点210可以证明其位置的每个可能的后续网络节点进行协商。或者,地址指派服务器可以简单地公布公钥,在这种情况下,第二节点220可以在接收网络消息之前或响应于接收到网络消息而简单地获得这个公钥。这样的发布可以使用域名系统(DNS)系统来发生。或者,公钥可以已经被包括在位置数据结构证据700内。The address assigning server then signs the location data structure evidence (act 523). The location data structure evidence is signed with a signature such that the second network node 520 can extract the location data structure evidence. For example, address assigning server 610 and second network node 220 may coordinate such that second network node 220 has a public key associated with a private key held by address assigning server 610, and address assigning server 610 signs location data using this private key structural evidence. The principles described herein are not limited to how this is done. Traditional mechanisms for accomplishing this negotiation include public key infrastructure (PKI) systems. In that case, the address assignment server can negotiate through this system with every possible subsequent network node whose location the first network node 210 can prove. Alternatively, the address assigning server may simply publish the public key, in which case the second node 220 may simply obtain this public key prior to or in response to receiving the network message. Such publishing may occur using the Domain Name System (DNS) system. Alternatively, the public key may already be included within location data structure evidence 700 .

地址指派服务器然后向第一网络节点发送回签名的位置数据结构证据(动作524)。在DNS启动实施例中,地址指派服务器也可以向网络节点发送回指派的IP地址。例如,参考图6,如箭头631所示,地址指派服务器610向网络节点621提供回签名的位置数据结构证据(连同潜在的指派地址)。然后,第一网络节点接收签名的位置数据结构证据。The address assigning server then sends the signed location data structure proof back to the first network node (act 524). In a DNS enabled embodiment, the address assigning server may also send back the assigned IP address to the network node. For example, referring to FIG. 6 , as indicated by arrow 631 , address assigning server 610 provides network node 621 with a signed location data structure evidence (along with a potential assigning address). Then, the first network node receives the signed location data structure evidence.

随着关于产生如何生成签名的位置数据结构证据的更多说法,现在将更多地描述关于动作322和323的验证如何发生。为了验证位置数据结构证据是在位置211处签名的,第二网络节点220首先相信可以从地址指派服务器指派地址的任何网络节点真正地在拓扑上位于同一地点。此外,因为第二网络节点220具有与由地址指派服务器用于签名位置证据的私钥相对应的公钥,所以位置证据是防篡改的或至少是防篡改的。也就是说,如果不能使用公钥从签名的位置数据结构证据中提取位置证据,则第二网络节点确定签名的位置数据结构证据已经被篡改。一旦第二网络节点使用与地址指派服务器相关联的公钥提取位置数据结构证据,第二网络节点然后可以验证网络节点地址701真正地在地址指派服务器的地址范围内。With more to say about generating evidence of the location data structure of how the signature was generated, more will now be described about how the verification of actions 322 and 323 occurs. To verify that the location data structure evidence was signed at location 211, the second network node 220 first believes that any network node that can assign an address from the address assignment server is indeed topologically co-located. Furthermore, since the second network node 220 has a public key corresponding to the private key used by the address assignment server to sign the location evidence, the location evidence is tamper-proof or at least tamper-proof. That is to say, if the public key cannot be used to extract the location evidence from the signed location data structure evidence, the second network node determines that the signed location data structure evidence has been tampered with. Once the second network node extracts the location data structure evidence using the public key associated with the address assignment server, the second network node can then verify that the network node address 701 is indeed within the address range of the address assignment server.

替代地或另外地,第二网络节点220不预先拥有与由地址指派服务器使用的私钥相对应的公钥。在这种情况下,签名的位置数据结构证据700携带公钥或者地址指派服务的名称。Alternatively or additionally, the second network node 220 does not pre-possess a public key corresponding to the private key used by the address assignment server. In this case, the signed location data structure evidence 700 carries the public key or the name of the address assignment service.

此外,对于动作323,第二网络节点验证被包括在网络消息411内的实际网络地址401可行地属于地址范围内。将签名的位置数据结构证据中的名称或公钥与第二网络节点处的一组可信地址指派服务器相比较。如果找到匹配,则认为匹配的公钥是可信的。签名验证通常包括重新计算位置信息的摘要,然后使用公钥对签名值进行处理,最后将其与摘要值相比较。通常,位置数据结构总是以明文形式可访问,签名证明(a)它是由可信源发出的(b)它在传送过程中未被修改。替代地,这可以通过简单地验证网络地址401与位置数据结构证据中包括的网络地址701相同或网络地址在数据结构的地址范围702的范围内来检查。在一些实施例中,地址范围702不需要被放置在位置数据结构证据内,而是简单地是第二网络节点已经基于与地址指派服务器的先前协商而确定的一条信息(例如,通过DNS系统或PKI系统)。动作323的这个最后验证防止构造的签名的位置数据证据从一个消息被复制到另一消息。Furthermore, for action 323, the second network node verifies that the actual network address 401 included in the network message 411 feasibly falls within the address range. The name or public key in the signed location data structure evidence is compared to a set of trusted address assignment servers at the second network node. If a match is found, the matching public key is considered authentic. Signature verification typically involves recomputing a digest of the location information, then manipulating the signature value with the public key, and finally comparing it to the digest value. In general, the location data structure is always accessible in the clear, with a signature proving that (a) it was issued by a trusted source and (b) it was not modified in transit. Alternatively, this can be checked by simply verifying that the network address 401 is the same as the network address 701 included in the location data structure evidence or that the network address is within the address range 702 of the data structure. In some embodiments, the address range 702 need not be placed within the location data structure evidence, but is simply a piece of information that the second network node has determined based on previous negotiations with the address assigning server (e.g., via the DNS system or PKI system). This final verification of act 323 prevents the constructed signed location data evidence from being copied from one message to another.

在一些实施例中,第一网络节点与第二网络节点之间的各种过程可以改变网络地址401。例如,负载平衡器、代理服务器、网络地址转换器和其他过程可以改变网络地址401。然而,在这种情况下,网络地址401被保存在网络消息400的一些其他部分中或在网络消息400与其他网络消息的聚合中。例如,假设网络消息400是IP分组。通过将各种IP分组进行聚合,可以恢复应用级HTTP消息。HTTP消息的X-Forwarded-For头部可以保留网络地址401,否则其将被这种中间过程写入。In some embodiments, various processes between the first network node and the second network node may change the network address 401 . For example, load balancers, proxy servers, network address translators, and other processes may change network address 401 . In this case, however, the network address 401 is saved in some other part of the network message 400 or in an aggregation of the network message 400 with other network messages. For example, assume network message 400 is an IP packet. Application-level HTTP messages can be recovered by aggregating various IP packets. The X-Forwarded-For header of the HTTP message may hold the network address 401, which would otherwise be written by such an intermediate process.

如上所述,位置数据结构证据可以被绑定到第一网络节点210。这可以通过在被绑定到第一网络节点的位置证据内包括一条信息来完成。例如,当从地址指派服务器请求位置数据结构证据时,第一网络节点可以基于其可信平台模块(TPM)导出信息。这可以是驻留在第一网络节点上的实际物理TPM,也可以是TPM软件仿真。As mentioned above, the location data structure evidence may be bound to the first network node 210 . This may be done by including a piece of information within the proof of location bound to the first network node. For example, when requesting location data structure evidence from the address assignment server, the first network node may derive the information based on its Trusted Platform Module (TPM). This could be an actual physical TPM residing on the first network node, or it could be a software emulation of the TPM.

在不脱离本发明的精神或基本特征的情况下,可以以其他具体形式来实施发明。所描述的实施例在所有方面仅被认为是说明性的而非限制性的。因此,本发明的范围由所附权利要求而不是由前面的描述来指示。在权利要求的等同物的含义和范围内的所有变化都将被包含在其范围内。The invention may be embodied in other specific forms without departing from the spirit or essential characteristics of the invention. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description. All changes that come within the meaning and range of equivalency of the claims are intended to be embraced therein.

Claims (10)

1.一种计算机实现的方法,用于位于一位置的第一网络节点以使得第二网络节点能够确定消息是由所述位置内的计算系统处理的方式发起所述消息到所述第二网络节点的传送,所述计算机实现的方法由执行用于所述计算机实现的方法的计算机可执行指令的一个或多个处理器执行,并且所述计算机实现的方法包括:1. A computer-implemented method for a first network node located at a location to initiate a message to a second network node in a manner that enables a second network node to determine that the message is to be processed by a computing system within the location A transmission of a node, the computer-implemented method being performed by one or more processors executing computer-executable instructions for the computer-implemented method, and the computer-implemented method comprising: 所述第一网络节点获得与所述第一网络节点的所述位置相对应的签名的位置数据结构证据,所述签名的位置数据结构证据被构造为由所述第二网络节点可解释为确定所述消息是由所述位置内的计算系统处理的过程的输入;Said first network node obtains a signed location data structure evidence corresponding to said location of said first network node, said signed location data structure evidence constructed to be interpretable by said second network node as determining said message is input to a process processed by a computing system within said location; 所述第一网络节点将所述签名的位置数据结构证据包括在所述消息内;以及said first network node includes said signed location data structure evidence within said message; and 所述第一网络节点发起包括所述签名的位置数据结构证据的所述消息到所述第二节点的分派,使得所述第二网络节点能够基于对至少所述签名的位置数据结构证据的处理来确定所述消息是由所述第一网络节点的所述位置内的计算系统处理的,并且使得所述第二网络节点能够基于所述确定来执行技术动作。Said first network node initiates dispatch of said message comprising said signed location data structure evidence to said second node, enabling said second network node to process at least said signed location data structure evidence based on determining that the message was processed by a computing system within the location of the first network node, and enabling the second network node to perform a technical action based on the determination. 2.根据权利要求1所述的计算机实现的方法,其中所述第一网络节点引起所述消息。2. The computer-implemented method of claim 1, wherein the first network node causes the message. 3.根据权利要求1所述的计算机实现的方法,其中所述第一网络节点在向所述第二网络节点路由所述消息之前接收和处理所述消息。3. The computer-implemented method of claim 1, wherein the first network node receives and processes the message before routing the message to the second network node. 4.根据权利要求1所述的计算机实现的方法,所述第一网络节点获得签名的位置数据结构证据包括:4. The computer-implemented method of claim 1, said first network node obtaining signed location data structure evidence comprising: 所述第一网络节点请求与地址范围相关联的地址指派服务器签名位置数据结构证据;以及said first network node requests an address assignment server signed location data structure evidence associated with an address range; and 所述第一网络节点响应于所述请求接收所述签名的位置数据结构证据。The first network node receives the signed location data structure evidence in response to the request. 5.根据权利要求1所述的计算机实现的方法,其中所述位置数据结构证据由地址指派服务器签名,所述地址指派服务器具有包括指派给所述第一网络节点的地址的相关联的地址范围。5. The computer-implemented method of claim 1 , wherein the location data structure evidence is signed by an address assignment server having an associated address range that includes an address assigned to the first network node . 6.根据权利要求1所述的计算机实现的方法,其中所述位置数据结构证据包括指派给所述第一网络节点的地址。6. The computer-implemented method of claim 1, wherein the location data structure evidence includes an address assigned to the first network node. 7.根据权利要求1所述的计算机实现的方法,其中所述消息进一步包括所述第一网络节点的互联网协议(IP)地址。7. The computer-implemented method of claim 1, wherein the message further includes an Internet Protocol (IP) address of the first network node. 8.根据权利要求1所述的计算机实现的方法,其中所述位置是地理位置。8. The computer-implemented method of claim 1, wherein the location is a geographic location. 9.根据权利要求1所述的计算机实现的方法,其中所述位置是网络拓扑位置。9. The computer-implemented method of claim 1, wherein the location is a network topology location. 10.一种计算系统,包括:10. A computing system comprising: 一个或多个处理器;one or more processors; 一个或多个计算机可读介质,包括计算机可执行指令,所述计算机可执行指令在由所述一个或多个处理器执行时使得所述计算系统利用在从位于一位置内的第一网络实体接收到包括与第一网络节点的位置相对应的签名的位置数据结构证据的网络消息时执行以下操作的架构来操作:One or more computer-readable media comprising computer-executable instructions that, when executed by the one or more processors, cause the computing system to utilize The architecture is operable upon receipt of a network message comprising a signed location data structure evidence corresponding to a location of a first network node: 验证所述签名的位置数据结构证据是在所述第一网络节点的位置签名的;以及verifying that the signed location data structure evidence was signed at the location of the first network node; and 在第二网络节点处基于所述验证确定所述消息是由所述第一网络实体的所述位置内的计算系统处理的,使得所述第二网络节点能够基于所述确定来执行技术动作。It is determined at the second network node based on the verification that the message was processed by a computing system within the location of the first network entity, such that the second network node is able to perform a technical action based on the determination.
CN201680056761.6A 2015-10-30 2016-10-22 Location identification of previous network message processors Active CN108141704B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US14/929,081 2015-10-30
US14/929,081 US10084705B2 (en) 2015-10-30 2015-10-30 Location identification of prior network message processor
PCT/US2016/058336 WO2017074824A1 (en) 2015-10-30 2016-10-22 Location identification of prior network message processor

Publications (2)

Publication Number Publication Date
CN108141704A true CN108141704A (en) 2018-06-08
CN108141704B CN108141704B (en) 2021-01-15

Family

ID=57233913

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201680056761.6A Active CN108141704B (en) 2015-10-30 2016-10-22 Location identification of previous network message processors

Country Status (4)

Country Link
US (1) US10084705B2 (en)
EP (1) EP3369261B1 (en)
CN (1) CN108141704B (en)
WO (1) WO2017074824A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110324437A (en) * 2019-07-09 2019-10-11 中星科源(北京)信息技术有限公司 A kind of original address transmission method, system, storage medium and processor

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105635067B (en) * 2014-11-04 2019-11-15 华为技术有限公司 Message sending method and device
US20220214881A1 (en) * 2022-03-16 2022-07-07 Intel Corporation Ratchet pointers to enforce byte-granular bounds checks on multiple views of an object

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1677978A (en) * 2004-03-31 2005-10-05 微软公司 Signing and Validation of Session Initiation Protocol Routing Headers
US20080065775A1 (en) * 2006-09-13 2008-03-13 Cisco Technology, Inc. Location data-URL mechanism
CN101589596A (en) * 2007-01-26 2009-11-25 交互数字技术公司 Method and apparatus for protecting location information and using the location information to access control
US20110013562A1 (en) * 2008-01-31 2011-01-20 Henrik Levkowetz Method and apparatus for providing mobility to a mobile node
US20110093615A1 (en) * 2008-07-02 2011-04-21 Oscar Novo Diaz Peer node selection in a peer to peer communication network
CN104106277A (en) * 2012-02-10 2014-10-15 高通股份有限公司 Enabling secure access to discovered location server for mobile device
US20150270975A1 (en) * 2014-03-20 2015-09-24 Certicom Corp. Method for validating messages

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8688834B2 (en) 2004-07-09 2014-04-01 Toshiba America Research, Inc. Dynamic host configuration and network access authentication
EP2264956B1 (en) 2004-07-23 2017-06-14 Citrix Systems, Inc. Method for securing remote access to private networks
US7925027B2 (en) 2005-05-02 2011-04-12 Ntt Docomo, Inc. Secure address proxying using multi-key cryptographically generated addresses
US7624181B2 (en) 2006-02-24 2009-11-24 Cisco Technology, Inc. Techniques for authenticating a subscriber for an access network using DHCP
CN101232369B (en) 2007-01-22 2010-12-15 华为技术有限公司 Method and system for distributing cryptographic key in dynamic state host computer collocation protocol
CN102739677B (en) 2007-06-29 2015-09-09 华为技术有限公司 A kind of collocation method of ciphered generation address, system and device
US7984293B2 (en) 2007-07-13 2011-07-19 L3 Communications Corporation Secure host network address configuration
ATE521187T1 (en) * 2008-01-31 2011-09-15 Ericsson Telefon Ab L M METHOD AND DEVICE FOR ALLOCATING PARAMETER VALUES IN A COMMUNICATIONS SYSTEM
US7743163B2 (en) * 2008-04-30 2010-06-22 Bally Gaming, Inc. Download and data transfer gaming system
CN101594230B (en) 2008-05-30 2012-06-27 华为技术有限公司 Method, device and system for processing dynamic host configuration protocol (DHCP) message
US9148335B2 (en) 2008-09-30 2015-09-29 Qualcomm Incorporated Third party validation of internet protocol addresses
US8387112B1 (en) * 2008-10-29 2013-02-26 Juniper Networks, Inc. Automatic software update on network devices
US8549280B2 (en) * 2009-10-08 2013-10-01 Compriva Communications Privacy Solutions Inc. System, device and method for securely transferring data across a network
US20160380776A1 (en) * 2015-06-29 2016-12-29 Cisco Technology, Inc. Secured neighbor discovery registration upon device movement

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1677978A (en) * 2004-03-31 2005-10-05 微软公司 Signing and Validation of Session Initiation Protocol Routing Headers
US20080065775A1 (en) * 2006-09-13 2008-03-13 Cisco Technology, Inc. Location data-URL mechanism
CN101589596A (en) * 2007-01-26 2009-11-25 交互数字技术公司 Method and apparatus for protecting location information and using the location information to access control
US20110013562A1 (en) * 2008-01-31 2011-01-20 Henrik Levkowetz Method and apparatus for providing mobility to a mobile node
US20110093615A1 (en) * 2008-07-02 2011-04-21 Oscar Novo Diaz Peer node selection in a peer to peer communication network
CN104106277A (en) * 2012-02-10 2014-10-15 高通股份有限公司 Enabling secure access to discovered location server for mobile device
US20150270975A1 (en) * 2014-03-20 2015-09-24 Certicom Corp. Method for validating messages

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110324437A (en) * 2019-07-09 2019-10-11 中星科源(北京)信息技术有限公司 A kind of original address transmission method, system, storage medium and processor
CN110324437B (en) * 2019-07-09 2020-08-21 中星科源(北京)信息技术有限公司 Original address transmission method, system, storage medium and processor

Also Published As

Publication number Publication date
EP3369261A1 (en) 2018-09-05
EP3369261B1 (en) 2019-08-14
US20170126562A1 (en) 2017-05-04
CN108141704B (en) 2021-01-15
US10084705B2 (en) 2018-09-25
WO2017074824A1 (en) 2017-05-04

Similar Documents

Publication Publication Date Title
US8650326B2 (en) Smart client routing
JP5587732B2 (en) Computer-implemented method, computer program, and system for managing access to a domain name service (DNS) database
US9172619B1 (en) Maintaining IP tables
JP5937078B2 (en) Provision of virtual network using multi-tenant relay
RU2019105720A (en) MARKER-BASED NETWORK SERVICE AMONG IOT APPLICATIONS
US20140237100A1 (en) Managing communications for modified computer networks
US20160261579A1 (en) Method and system for extending network resources campus-wide based on user role and location
US9497063B2 (en) Maintaining IP tables
US11570135B2 (en) Routing for large server deployments
US10805381B2 (en) Web storage based IoT device protect mechanism
CN114710560B (en) Data processing method, system, proxy device, and terminal device
US11647008B2 (en) Generating a negative answer to a domain name system query that indicates resource records as existing for the domain name regardless of whether those resource records actually exist
CN108141704B (en) Location identification of previous network message processors
JP2017208797A (en) Integrated data networking across heterogeneous networks
CN110636149B (en) Remote access method, device, router and storage medium
US10193788B2 (en) Systems and methods implementing an autonomous network architecture and protocol
US11683225B2 (en) Relay device and non-transitory computer readable medium
US20160248596A1 (en) Reflecting mdns packets
US20200127923A1 (en) System and method of performing load balancing over an overlay network
US20200036689A1 (en) Secure Packet Modification
US12418421B2 (en) Client device verification
US11695773B2 (en) Distributing dynamic access control lists for managing interactions with a cloud datacenter
Hou et al. Data Distribution Service Based on UDP HolePunching Technique
JP2016005271A (en) Assignment of consumer status by interest in content-centric networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant